Welcome to your biweekly digest of curated cybersecurity intelligence.
Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.
For more articles, check out our #onpatrol4malware blog.
January 2026 Edition
Key stats from real-world telemetry and live attack observations over the past month – a concise look at what we’re seeing across malware, phishing, ransomware, C2s, and domain abuse.
This Edition’s Articles
Late February 2026 Cyber Threat Reports spotlight fast-moving real-world attacks – from FortiGate access at scale and WebDAV delivery tricks to LockBit activity and Lazarus-linked Medusa ransomware. Themes this round: abuse of trusted software, exposed infrastructure exploitation, and phishing/credential theft feeding downstream operations.
Nation-State Actors Exploit Notepad++ Supply Chain
Source: Unit 42 (Palo Alto Networks)
(Published: 11 February 2026)
Between June and December 2025, the official hosting infrastructure for the text editor Notepad++ was compromised by a state-sponsored threat group known as Lotus Blossom. Read more.
OysterLoader Unmasked: The Multi-Stage Evasion Loader
Source: Sekoia.io Blog
(Published: 12 February 2026)
OysterLoader, also known as Broomstick and CleanUp, is a malware developed in C++, composed of multiple stages, belonging to the loader (A.k.a.: downloader) malware family. Read more.
Unpacking the New “Matryoshka” ClickFix Variant: Typosquatting Campaign Delivers macOS Stealer
Source: Intego Mac Security Blog
(Published: 12 February 2026)
Intego Antivirus Labs is tracking an evolution of the “ClickFix” social engineering campaign targeting macOS users. Read more.
GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use
Source: Google Cloud Blog
(Published: 12 February 2026)
In the final quarter of 2025, Google Threat Intelligence Group (GTIG) observed threat actors increasingly integrating artificial intelligence (AI) to accelerate the attack lifecycle, achieving productivity gains in reconnaissance, social engineering, and malware development. Read more.
LockBit strikes with new 5.0 version, tastargeting Windows, Linux and ESXI systems
Source: Acronis
(Published: 12 February 2026)
The Acronis Threat Research Unit (TRU) analyzed the latest version of LockBit ransomware (version 5), which targets Windows, Linux and ESXi systems, and shares some similarities with the previous version 4. Read more.
Fake CAPTCHA in Action
Source: CERT Polska
(Published: 12 February 2026)
CERT Polska observed an ongoing campaign leveraging fake CAPTCHA verification pages to deliver malware to unsuspecting users. Read more.
RenEngine Campaign with HijackLoader, Lumma and ACR Stealer
Source: Securelist (Kaspersky)
(Published: 13 February 2026)
Researchers uncovered a multi-stage malware campaign distributing HijackLoader alongside Lumma and ACR Stealer payloads through compromised websites and phishing vectors. Read more.
Odyssey Stealer: macOS Crypto-Stealing Operation
Source: Censys
(Published: 14 February 2026)
Researchers identified Odyssey Stealer, a macOS-focused malware operation targeting cryptocurrency users through credential harvesting and wallet theft. Read more.
Multiple Threat Actors Rapidly Exploit React2Shell: A Case Study of Active Compromise
Source: JPCERT/CC
(Published: 16 February 2026)
JPCERT/CC observed multiple threat actors actively exploiting the React2Shell vulnerability shortly after disclosure, demonstrating rapid weaponization timelines. Read more.
AI LLM-Generated Malware Used to Exploit React2Shell
Source: Darktrace
(Published: 16 February 2026)
Darktrace researchers identified malware generated with assistance from large language models being used in exploitation attempts targeting React2Shell vulnerabilities. Read more.
CVE-2026-1731: BeyondTrust Exploitation Wave
Source: Darktrace
(Published: 16 February 2026)
Darktrace observed active exploitation attempts targeting CVE-2026-1731, highlighting rapid attacker adoption following vulnerability disclosure. Read more.
Shadow Campaigns Show Evidence of Global Espionage Using ShadowGuard Rootkit
Source: PolySwarm
(Published: 17 February 2026)
Researchers uncovered coordinated espionage activity leveraging the ShadowGuard rootkit to maintain stealthy long-term access across targets worldwide. Read more.
LATAM Businesses Hit by XWorm via Fake Financial Receipts: Full Campaign Analysis
Source: ANY.RUN
(Published: 17 February 2026)
Malware campaigns targeting Latin America (LATAM) are evolving. Read more.
From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day
Source: Google Cloud Blog
(Published: 17 February 2026)
Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769, with a CVSSv3.1 score of 10.0. Read more.
Spam Campaign Abuses Atlassian Jira, Targets Government and Corporate Entities
Source: Trend Micro
(Published: 17 February 2026)
Threat actors used Atlassian Jira Cloud and its connected email system to run automated spam campaigns, effectively bypassing traditional email security by abusing the strong domain reputation of Atlassian Jira Cloud products. Read more.
Spam Campaign Abuses Atlassian Jira, Targets Government and Corporate Entities
Source: Trend Micro
(Published: 17 February 2026)
Threat actors used Atlassian Jira Cloud and its connected email system to run automated spam campaigns, effectively bypassing traditional email security by abusing the strong domain reputation of Atlassian Jira Cloud products. Read more.
Invitation to Trouble: The Rise of Calendar Phishing Attacks
Source: Cofense Blog
(Published: 17 February 2026)
Before you click “Accept” on calendar invites, think twice – it could be a phishing scheme. Read more.
Banners, Bots and Butchers: An Automated Long Con Targeting Japan, Asia, and Beyond
Source: Infoblox Blog
(Published: 17 February 2026)
Over the past few months, we investigated cryptocurrency investment scam campaigns that combined two distinct fraud models: malvertising, which typically directs victims to fake investment platforms, and pig butchering, a scam that relies heavily on social engineering to gradually extract larger and larger sums of money from each victim over time. Read more.
Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets
Source: Securelist (Kaspersky)
(Published: 17 February 2026)
Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets. Read more.
UNC1069’s Social Engineering Operations Focused on Crypto Sector
Source: Hive Pro
(Published: 17 February 2026)
UNC1069, a financially motivated North Korea-linked threat actor, conducted a targeted intrusion against a financial technology (FinTech) entity in the cryptocurrency sector. Read more.
Operation MacroMaze: New APT28 Campaign Using Basic Tooling and Legit Infrastructure
Source: Lab52
(Published: 18 February 2026)
Researchers documented a new APT28 campaign leveraging legitimate services and simple tooling to evade traditional detection mechanisms. Read more.
Tech Impersonators, ClickFix and macOS Infostealers
Source: Datadog Security Labs
(Published: 18 February 2026)
Datadog researchers analyzed campaigns using impersonation techniques and ClickFix lures to distribute macOS infostealer malware. Read more.
Job scam uses fake Google Forms site to harvest Google logins
Source: Malwarebytes
(Published: 18 February 2026)
As part of our investigation into a job-themed phishing campaign, we came across several suspicious URLs that all looked like this:. Read more.
Malicious Chrome Extension Steals Meta Business Manager Exports and TOTP 2FA Seeds
Source: Socket
(Published: 19 February 2026)
Researchers discovered a malicious Chrome extension capable of exfiltrating Meta Business Manager data alongside time-based one-time password authentication seeds. Read more.
AI-augmented threat actor accesses FortiGate devices at scale
Source: AWS Security Blog
(Published: 20 February 2026)
Commercial AI services are enabling even unsophisticated threat actors to conduct cyberattacks at scale – a trend Amazon Threat Intelligence has been tracking closely. Read more.
UNC1069 Uses New Tools to Target Crypto Entities
Source: PolySwarm
(Published: 20 February 2026)
A targeted intrusion into a FinTech entity in the cryptocurrency sector was attributed to UNC1069, a North Korea-nexus financially motivated threat actor. Read more.
Apache ActiveMQ Exploit Leads to LockBit Ransomware
Source: The DFIR Report
(Published: 23 February 2026)
This intrusion began in mid-February 2024 after a threat actor exploited a vulnerability (CVE-2023-46604) on an exposed Apache ActiveMQ server. Read more.
North Korean Lazarus Group Now Working With Medusa Ransomware
Source: SECURITY.COM
(Published: 24 February 2026)
North Korean state-backed attackers are now using the Medusa ransomware and are continuing to mount extortion attacks on the U.S. healthcare sector. Read more.
1Campaign: A New Cloaking Platform Helping Attackers Abuse Google Ads
Source: Varonis
(Published: 24 February 2026)
1Campaign is a new cloaking platform that helps attackers bypass Google Ads screening, evade security researchers, and keep phishing and crypto drainer pages online longer. Read more.
Want more articles? Check out the previous edition of Security Signals here.